How to secure your WordPress website

I was sitting at my desk with tea in hand when I logged into my site to publish my daily post. But wait, what?! That’s not my site…

Yes, I’d been hacked.

Every day, hackers (which are typically ‘bots’ rather than humans) are scanning the web looking for easy targets. When they find a WordPress site that has questionable hosting, a weak password, an outdated version of WordPress or is running a theme or plugin with security issues, they know they’ve found their next target.

Today we’ll go over four simple ways you can beef up security on your WordPress site, so hopefully you’ll never have a morning (and afternoon, in fact) like I did.

1. Choose reputable hosting.

If you’re the DIY type of person — or on a tight budget — you might opt for shared hosting.

Especially if you’re a fan of natty mustaches.

You’ll be in charge of site maintenance, and you’ll be sharing your web host with other potentially less security-conscious users. While popular hosts (like GoDaddy, natch!) provide a reliable shared platform, you can’t control any unexpected security issues on the host’s end. Reputable hosts do, however, have the staff and expertise to get things resolved quickly — something that can’t always be said about smaller, cheaper shared hosts.

Servers are protected, backups are scheduled, plugins are pre-screened and security updates are performed automatically. You can sleep well at night knowing your hosting is the hands of experienced WordPress technicians.

2. Use a strong password.

Older versions of WordPress create a login user named admin by default. People (to tar an entire race with one brush) are notorious for choosing weak passwords, such as their dog’s name. Hackers know both of these facts, and they repeatedly try to log into your site (by means of a brute-force attack) by guessing your username and password.

2. If your username is admin or administrator, it’s time to switch to a new one. It can be practically anything: your name, nickname or just something unique. Make sure you set the Role to Administrator.

3. Log in as the new user, attribute your existing content to that user and finally, delete the admin user.

3. Block malicious login attempts.

To secure your site from brute-force attacks, use a plugin that blocks malicious logins. Jetpack Protect, found in the latest Jetpack plugin, records the IP address of login attempts. It uses this data, combined with data gathered from other Jetpack Protect users, to potentially block the login.

If you’re not interested in using Jetpack, the Limit Login Attempts plugin is another popular option. It hasn’t been updated in years and, as a rule, it’s always advisable from a security standpoint to use well-maintained plugins — so it shouldn’t be your first choice. But, with more than one million active installs, it’s still a widely used plugin to stop would-be attackers from launching a brute-force attack on your website.

4. Keep on top of updates and backups.

The latest versions of WordPress automatically perform small security updates on their own, but you still need to keep your themes and plugins up to date.

Remember when you were setting up your blog and you test-drove all those new themes and cool plugins? Just because you aren’t using a plugin or theme, if it shows up in the WordPress update screen it means hackers can still take advantage of any security exploits— so update everything.

When it comes to security, you can do everything right and bad things can still happen.

That’s why having a site backup is so important. The UpdraftPlus plugin makes taking backups simple and even enables you to schedule backups and store them with various cloud providers. To get started quickly you can perform a manual backup by clicking the Backup Now button.

I know it can be tempting to add more and more plugins to your site, but try to restrain yourself. New security exploits are discovered every day and each additional plugin or theme you install increases your exposure to future potential security problems.

Bonus recommendation: Be proactive

Hackers are sneaky. You might not even know your website has been compromised. Companies like Sucuri and Wordfence offer continuous malware scanning services that can alert you to problems almost immediately.

This might not be necessary for your average run-of-the-mill blog, but for a valuable web property it’s something to consider.

Wrapping up

With confidence in your hosting provider and having your logins secured, you’re off to a good start. Be sure to keep WordPress, your themes and your plugins updated — and don’t forget to take regular backups. Lastly, for future plugin and theme downloads, stick to WordPress.org, a reputable seller or a site you trust. For extra protection, look into a malware scanning service.

What are you doing to protect your site and make life difficult for hackers? Let us know in the comments!

Tom Ewer is a freelance writer, online entrepreneur, and the founder of Leaving Work Behind and WordCandy. He has been obsessed with WordPress since he first laid eyes on it, and has been writing educational and informative content for WordPress users since 2011. When he's not running his businesses, you're likely to find him outdoors somewhere – as far away from a screen as possible!